Cairn
Request a demo
Security & trust

The boring part, on the record.

Cairn handles compliance research, not personally-identifiable health data, but our customers operate critical infrastructure, so we treat the platform like they do. Below is the public posture. The DPA, sub-processor list, and pen-test letter are available under NDA on request.

Data residency

All customer data (queries, chats, LOI drafts, billing records) is stored in US-based regions, with US-based disaster recovery. No data leaves the United States. EU residency is available on Enterprise upon request.

No customer data used for model training

We never use your queries, chats, or uploaded content to train or fine-tune models. This is contractual and enforced through zero-retention mode on all model API calls.

Encryption

In transit: TLS 1.3 everywhere, HSTS enforced. At rest: AES-256 across the database, document store, and search index. Database backups encrypted with separate keys.

Access control

Role-based access (Owner / Admin / Member) at the org tenancy level. Enterprise tier adds SSO via SAML 2.0 (Okta, Azure AD, Google Workspace), SCIM 2.0 user provisioning, and IP allow-listing for the workspace.

Audit log

Every authentication event, role change, chat access, LOI export, and billing action is recorded with actor, IP, and timestamp. Org Admins can export the audit log; Enterprise tier streams it to your SIEM (Splunk, Datadog, Elastic).

Sub-processors

Cairn relies on a small set of US-based sub-processors covering model inference (zero-retention), managed database, search infrastructure, object storage, and billing. The named list, notification policy, and DPA are available on request.

Compliance

SOC 2 Type II audit in progress (Q4 2026). HIPAA BAA available on Enterprise. CJIS, FedRAMP, and ITAR not currently supported.

Vulnerability disclosure

We operate a private security disclosure program. Email security@cairnsafe.com with PGP-encrypted reports. We respond within one business day and run a 90-day disclosure timeline by default.

AI safety posture

Cairn is designed to refuse to fabricate. Assistant responses are grounded in retrieved citations or marked as model-generated. We monitor citation hit rate, refusal rate, and prompt-injection attempts. Findings are reviewed weekly.

Need our security questionnaire response?

We maintain pre-filled responses to CAIQ, SIG Lite, and most enterprise security questionnaires. Email sales for a copy under NDA.

Request a demo Email sales